Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    424KB

  • Sample

    221206-2kcxpsde6w

  • MD5

    4c6266913d07fb5f0d93a672245bce4d

  • SHA1

    7f0350c11ffd551d254b43104b777b037bb483f9

  • SHA256

    5466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e

  • SHA512

    b0ff6f887110643c08a98800cd62cb320aba82969632539058a998fc90495b4262bdb2feb5b7785380a4e3f54a64ec894da24319040de90a25caf9e84145b794

  • SSDEEP

    6144:op6hZKsL6S1a6x3KL01PzJA0S6qm/3ydFBDfxhgAWcoBlC9XcObSaVe:opwZfuS1a65AcO0S6xyjBJMcWCFfS3

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Extracted

Family

redline

Botnet

new2811

C2

jamesmillion.xyz:15772

Attributes
  • auth_value

    86a08d2c48d5c5db0c9cb371fb180937

Targets

    • Target

      file.exe

    • Size

      424KB

    • MD5

      4c6266913d07fb5f0d93a672245bce4d

    • SHA1

      7f0350c11ffd551d254b43104b777b037bb483f9

    • SHA256

      5466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e

    • SHA512

      b0ff6f887110643c08a98800cd62cb320aba82969632539058a998fc90495b4262bdb2feb5b7785380a4e3f54a64ec894da24319040de90a25caf9e84145b794

    • SSDEEP

      6144:op6hZKsL6S1a6x3KL01PzJA0S6qm/3ydFBDfxhgAWcoBlC9XcObSaVe:opwZfuS1a65AcO0S6xyjBJMcWCFfS3

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks